Drupal FileField Sources XSS Vulnerability

Description of Vulnerability:

The Drupal FileField Sources module (https://drupal.org/project/filefield_sources) "lets you upload files from your computer through a CCK field. The FileField Sources module expands on this ability by allowing you to select new or existing files through additional means." The FileField Sources module contains a persistent cross site scripting (XSS) vulnerability due to the fact that it fails to sanitize user supplied filenames before display.

Systems affected:

Drupal 6.24 with FileField Sources 6.x-1.4 was tested and shown to be vulnerable

Impact

Users creating new content could be subject to account compromise, client side attack, or other vulnerabilities due to arbitrary script execution. (Ref: http://www.madirish.net/548)

Mitigating factors:

In order to execute arbitrary script injection malicious users must have the ability to upload files.

Proof of Concept:

Install and enable the CCK, FileField, and FileField Sources modules

Add a new file field for the Story content type at ?q=admin/content/node-type/story/fields

Add 'jpg' as an allowed extension and check 'Autocomplete reference textfield' in the 'File sources' fieldgroup

Vendor Response

On 19 September, 2012, after the publication of this report, the vendor released SA-CONTRIB-2012-147 which recommends upgrading to FileField Sources 6.x-1.6 or later or 7.x-1.6 or later, depending on your version of Drupal.